Deployment Architecture

Splunk Indexer Cluster not identifying new bundle ID when trying to deploy new config to Indexers

jwray97
Explorer

Hi,

I am trying to deploy a new index to my indexer cluster via the Cluster Master and have followed the usual documentation on how to deploy via the Master-Apps Folder. I have done this before and it has worked no problem but this time I have no idea why it is not working. 

When I make the change to indexes.conf and run the command "splunk validate cluster-bundle" it gives me no errors and then brings me back to my CLI so I would presume it has validated it. Then I run the command "splunk show cluster-bundle-status" to check the bundle ID's they are still the same ID's on the active bundle and the latest bundle. Its as if Splunk is not recognising that a change has been made to the bundle and therefore cannot deploy it down to the indexers.

jwray97_1-1708438780558.png

 

I ran the command "splunk apply cluster-bundle" and it gave me the below error. However when I checked the Splunkd.log on the CM and the Indexers there was no indication of a validation error, or any error for that case.

jwray97_0-1708438637833.png

Is there anything that I am missing here? Just cant work out why it is not recognising a change has been made to update the Bundle IDs to be pushed down. 

Thanks

 

Labels (1)
Tags (1)
0 Karma
1 Solution

jwray97
Explorer

Thanks however I worked out what was causing the issue. There was another app which was supposed to be deployed to the Search Head Custer but mistakenly it was deployed to the Indexer Cluster. After I removed this app from the Master Apps Folder I redeployed the new one and it successfully validated and pushed down to the Indexer nodes.

View solution in original post

0 Karma

jwray97
Explorer

Thanks however I worked out what was causing the issue. There was another app which was supposed to be deployed to the Search Head Custer but mistakenly it was deployed to the Indexer Cluster. After I removed this app from the Master Apps Folder I redeployed the new one and it successfully validated and pushed down to the Indexer nodes.

0 Karma

etoombs
Path Finder

Without knowing about your changes, it's hard to say what's happening. If you manually created or changed any .conf files though, I would check ownership and make sure they are owned by the splunk user. I've seen bundle validations fail when something doesn't have proper ownership.

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...